What distinguishes a good security program? One of the hardest questions to answer in the Information Security field is whether our security program is good, or not. It’s a question we want to answer for many reasons, not least of which include:

Assuring my boss, my CEO, my Board, my company that the money and resources they’ve entrusted me with are appropriate and well utilized.

Being comfortable that we have done the right things to make a breach, theft, intrusion, etc as difficult and unlikely as possible.

Measuring your security program in an easy to understand, clear fashion.

Based on many years of my own experience, I’m going to tell you what I believe constitutes a good security program. One that is appropriate and effective. A program that you can measure and demonstrate that you are doing the right things. This is all about taking care of your “below the line” responsibilities. Those are the responsibilities that are your job, that you are just supposed to take care of, that the CEO doesn’t want to hear about every day.

Please notice that VP of Marketing is not busy giving the CEO metrics on how many FTE hours were spent creating powerpoint slide decks for the sales people to use. This is the sort of “I’m busy” metrics that should never be used outside your own department. Of course you are busy, that is what your organization pays you to do.

Okay, so what makes a security program appropriate and effective (which is a good way of defining “good”) and can also be measured? I can sum it up pretty easily.

Do security basics really well.

Do good threat & attack intelligence.

Do good incident response

Yep, that’s pretty much God, Country, Motherhood and Apple Pie sort of stuff. But it also happens to be very, very true. If you go look at security incidents that are reported publicly, you will discover that the vast majority of them were not the dreaded “Advanced Persistent Threat” or the nation-state bogeyman. I talked about that in an earlier blog entry, actually: Vulnerability Management Re-Visited.

What you will find is that almost every time a company’s security is breached and critical assets are exploited in some way that the company failed to do security basics well. And frankly, if you don’t do #1, you are going to have a hard time at #2 and #3.

Let’s put this another way. Gartner said at their recent Security & Risk Management Summit that doing the basics of security well enables an organization to reduce the risk they face by up to 80%. You read that right. Do the basics. Stop worrying about the Chinese Army for crying out loud and start worrying about threat and vulnerability management, patching servers, access management, encryption, solid policies. In fact, here is the specifics according to Gartner (I’m in total agreement):

Patch and Update (yep, they listed it first)

Good fundamental policies

Security education

Encryption where it’s warranted

Serviceable perimeter protection

Identity and Access Management

Let me reiterate …. this solves up to 80% of your risk. If you are not doing this stuff well, you are not running a good security program. The definition of what “good” looks like is out there. Gartner is a good source. Companies like mine are a good source. Yes, of course we are selling products and services. But we’ve also been doing penetration testing and vulnerability management since 1996 and actually know what a good patch and update program looks like. So look to peers in your industry, to analyst firms and to product and services vendors to see what doing the basics well means.

What about the other two? Pretty simple, really. If you don’t know who is going to attack you and how, then how on earth can you possibly do the basics well in the first place. Perhaps I should make Threat & Attack Intelligence #1 and the basics #2? Anyway, figure out what the threat is. If you are a hospital, it’s probably not the PLA. If you are a retail store, it’s probably not medical insurance fraud types. Focus on the bad guys that threaten you. Focus on their real capabilities. And then determine how and where they will attack. See my post explaining that You Can’t Defend Without Intelligence.

Finally, you need to be able to do good incident response. You’re only reducing your risk by 80 to 90 percent by doing 1 and 2. Something bad is going to happen. If you can’t detect that it happened and respond to the incident, you are going to be in deep trouble. The last thing you want is to have the FBI and the credit card brands show up at your front door to let you know that your network is breached and tens of millions of credit cards have been stolen. You want to be the guy that realizes there is a bad guy operating inside your network and can go to the FBI (or appropriate law enforcement agency for your scenario and country) and provide them with the information and evidence needed for them to take action on your behalf. Good incident response is measured by building a capability and then testing it yourself.

Stop worrying about APT’s and start worrying about the guy that is busy breaking into your un-patched print server and pivoting from there to your credit card data stores. Stop telling your CEO about how many virus infections you cleaned up and start telling him how much risk you are taking out of the business. Start running a good security program by doing the basics well.

I know, boring topic. Just part of IT and Security operations. Nothing sexy here. It’s way more fun to think about how to beat those nasty, mean APT’s, how to detect malware actively on your network, how to do fancy risk management presentations.

But there are two things that are part of your reality, information security people, that make Threat & Vulnerability Management an imperative for you if you wish to succeed.Continue reading →

It’s a 3 day weekend that traditionally announces the beginning of summer. And Monday is the day that we memorialize those who have given their lives in our wars. I’ll do two things I have been doing for years this weekend.Continue reading →

Putting the victim on trial. Decades ago we learned to stop putting victims of sexual abuse, domestic violence and rape “on trial”. Well, mostly anyhow. But we, mostly, stopped blaming the girl because she wore a short skirt or went to a bar and flirted with guys. These days we don’t try and say that the domestic violence victim invited the abuse or they were at fault for not speaking up in the first place. And so forth. But there’s a community that, I am sad to say, spends a lot of time blaming the victims of crime.

Imagine you are an Army General. And you have been given responsibility to defend a town that is the key to the local road network. You have a specific set of units under your command and several days to prepare to defend before the enemy is expected to attack. How are you going to go about setting up your defenses? Could you successfully defend without understanding the routes the enemy will use and what capabilities the enemy will have in addition to the knowing their objective?

I was recently asked what I thought should be the most important resolution for consumers going in to 2014. A resolution in the context of improving the individual consumers personal and financial security. Since the request was for publication in a magazine article, I gave a relatively brief answer. Since I think this particular resolution is very important for everyone, I decided to expand upon it here on my blog.

Each and every consumer who uses email and the Internet (that’s pretty much all of you) should make the following resolution this New Year’s.

I resolve to change my online behavior in order to not be a victim of an evil doer.

Yes, the people who steal money, financial data and personal data by email and websites are evil doers. They are worse, by far, than the guy holding up 7-11. That guy is lucky if he gets away with $100 and he put himself at significant risk to get that money. He did not dupe, trick, deceive anyone. He didn’t take advantage of a trusting elderly person and steal their life savings. Contrary to what movies like “Dirty Rotten Scoundrels” and “Hackers” portray, con artists are not some sort of underground hero that you should like. Indeed, online con artists … social engineers in the world of information security …. cost society horrible amounts of money. They steal people’s life savings, drain their bank accounts, max out their credit cards, compromise their financial and health data and much more.

These guys are really good and they are, mostly, safe from law enforcement. They are anonymous online and live in countries where US and Western European police forces have a difficult time getting cooperation.

What can you, the individual, do to protect yourself? There’s five easy changes in your online behavior that you should make. Almost all people I talk to about their online behavior do at least one of these things on a regular basis. By doing so, you are putting yourself at serious risk. Why? Because the above mentioned evil doers KNOW that you do this and they are taking advantage of your behaviors. So, let’s change them and avoid the risk posed by these guys.

Don’t click on links in email sent to you.

One of the simplest ways for someone to attack you is to put a malicious link in an email. They do something like creating an email that pretends to be from Microsoft and tells you that you need to verify your email address. And provides a very convenient link in the email to do the verification. In fact, I just got one of those emails from another large company that urged me to verify my email and make sure and change my password.

I checked the link that the email wanted me to go to and lo and behold, it was not actually from the computer company named after a fruit. Had I gone to that website and entered my email address and changed my password, they would have had a good chance at being able to compromise my email account. Which is a really critical first step for a nasty financial attack against me. As I point out in the next behavior change.

Do not use the same password for your email and your financial accounts. Ever.

You need to make sure that your email and online financial accounts use different passwords. Why? Because if you goof on #1 and give away a password, you don’t want it to be the same as your bank account password. The first thing the bad guy tries is hitting major financial institutions with your ID and password. Most of us are lazy by nature, and we use the same ID and password on all our online accounts. And our evil doer’s odds are decent that you bank at Wells Fargo, Chase, Citi, PNC or Bank of America since as recently as 2009 over 40% of all consumer deposits were at the top 5 banks.

If you have given away a password, but it is your email password, then the criminal must put more effort in to his attack on you. He will have to try logging in to all of these different banks and then saying he forgot his password. When he does, of course, it sends an email to your email account asking for confirmation. Since the bad guy now controls your email account (cause in #1 you gave him your password), he can confirm that he is you and change your password to one he wants it to be. But it was harder than if you use the same password for both.

Remember that behavior by friends and acquaintances that isn’t normal is suspicious.

Emails, ecards, etc from acquaintances that are out of character should generate suspicion. A friend who never sends you an e-card is unlikely to have suddenly decided to start sending them. Much more likely is that your friend’s email account was compromised and is now being used to initiate a social engineering attack on you.

Of course you trust your friend. Of course you want to see this funny card that your friend sent you. Of course you click on the link. And, of course, the e-card website has malicious software (a “virus”) on it and it is able to insert it on to your computer. Depending on the goals of this bad guy, many different things can happen. Often you will never even realize it, but your computer is now being used as part of a botnet that can attack many other computers and networks. Or, perhaps, there is a secret keylogging software on your computer now, recording every keystroke you make. And so on.

Enable anti-spam technologies in your email client.

Your email client has technology that enables it to filter many of those social engineering email attacks. Whether it is an online email client like Yahoo! or Google, or it on your computer, like Apple’s Mail or Microsoft’s Outlook. Seriously. All you have to do is turn it on and it works. It looks at your email, decides what is malicious and then sends that email to a junk folder.

Some of the email that gets filtered in there is pure spam. You know, offers for viagra, cheap home loans, pornography. But some of the email that is filtered is from the guy trying to get you to “reset your password”. So use the technology and make your life better. No ads for viagra and far fewer malicious attacks get in your inbox.

Be aware of offers that are too good to be true.

If you receive an offer in your email that is really good, like REALLY good …. delete it. If it is too good to be true, it’s a trap. If someone wants to pay you $20/hour to work from home and the work is “easy” and you have never heard of them before in your life …. it’s a con artist. You will become a mule for financial crime and not even realize what has happened. The money going through your account that you are earning $20 an hour to transfer around the world? Yep, you guessed it … it’s stolen. They are playing on your desperation, greed, etc to get you to help them commit a crime.

Yes, it’s that time. Writing a blog post to wrap up the year, just all the rest of you do. I decided I’d cover my personal and professional life and the infosec world too. And I realized that it’s been a pretty crazy year on all 3 fronts. It’s been up and it’s been a stomach churning drop as well. With a couple barrel rolls, a loop de loop or two and some high speed turns thrown in.

Personal Life

My personal life is all about planes, trains and automobiles this year. Well, okay, no trains. So, all about planes and automobiles. But the first is funnier. Anyhow, probably the two big personal life stories involve planes and cars.

First, my 16 year old stepson has his driver’s license. And a car. And he got in his first (not at fault) accident, too. Yep, that was a heck of a ride right there. He’s a good kid. Very conscientious and careful about driving. But still the accident. Within less than a mile of the house. Stacy went and rescued him and did a great job at it.

With my professional life really ramping up, I spent a ton of time traveling. Lots of time on airplanes. I mean LOTS …. From Aug 1 to Dec 20 I flew 63,862 air miles. That includes going to just about every major airport in the US. That includes Atlanta, Dulles, National, Boston, Pittsburg, Detroit, Columbus, Minneapolis-St. Paul, O’Hare, Dallas, Houston, Phoenix, Los Angeles, San Francisco, Portland and Seattle.

That’s a lot of freaking air travel and airports in less than 5 months. And that doesn’t include the fact that I flew to Sydney, Australia. That’s 16,882 miles for a 6 day trip. An average of 2,813 miles per day. LAX to Sydney is 14 hours on an airplane.

Yes, my personal life involves a lot of flying. And more importantly, being away from my family a lot. They support what I do, and they agree with the choices. But I’m not sure any of us were quite prepared for what this was going to look and be like.

20 weeks. 63,862 miles. 3193 miles a week. My wife is a saint.

On a side note, in the middle of that I got to meet a guy I’ve been corresponding with since 2003. For 10 years I have written to, and interacted with, Glenn Reynolds. Most of you know him as Instapundit. Well, he was the keynote speaker at the ISSA International Conference this year. And he and I spent two hours having a drink and a bite to eat. What a strange world when you can know someone for a decade BEFORE you actually meet them.

Professional Life

My professional life this year can be summed up in one easy statement: Continuous change.

Seriously, this year has been one of change. In January I was the CISO and head of Enterprise Risk Management for Providence Health & Services. Today I am the Vice President of Security & Strategy for Core Security. In the middle of that Providence had a new CEO, first time that changed in over a decade. And healthcare is going through massive and immense change, as we all know. What it will look like in a year or two is anybody’s guess. But certainly not the same.

So I left being the CISO of a large corporation …. A company that would be about #208 on the Fortune 500 list, about comparable to Starbucks …. Something that my friend Dave Estlick and I always tease each other about. But no longer. I now work for a company with 185 employees and revenue of about $25 million a year. For someone whose professional life has been the US Army, EDS and the Providence, this is a massive change. Huge. And fun. I love this company.

And I changed what I do, as well. In the Army I was a small unit leader, a tank commander. At EDS I led teams in business process outsourcing, professional services and consulting environments. At Providence I led an information security department for 7 years. Now? I lead strategy for Core. I have no direct reports. I have no direct team (at least for now). So, my whole professional life I have led teams and been measured by how well I did that. And now, I will be measured by my personal impact to a company. Not by what my team does or how good at leading a team I am.

That’s a big change at age 46.

The InfoSec World

A year of turbulence and change. We found out that the NSA couldn’t keep a contract employee from stealing all their secrets. We found out that we were right about Adobe and their ability to do good security. And it turned out that traditional mechanisms of securing payment systems just wasn’t going to work well if you were a retailer the size of Target.

The bad guys are so capable and have so many resources that they were hacking in to media companies like the NY Times and Washington Post just to find out what was being written about them.

The head of the NSA got heckled at Blackhat.

This was the year that social activist and revolutionary attacks came into their own. Think about Anonymous and the Syrian Electronic Army. Think about all the Twitter and LinkedIn attacks and phishing and spoofing.

This was the year that the whole world discovered that China was cyber enemy #1 … and then wondered if the NSA had surpassed that.

This was the year that it became obvious that traditional information security was not the solution to stop cyber attacks. And now we wonder what to do.

Frankly, my personal and professional life were driven by my realization that information security had to change. It’s been a roller coaster. It’s been crazy. But really, life is better than ever. I have a great wife, great kids and a great job. I get to make a difference, to some small extent, in the world around me every day.

I haven’t even talked about food I’ve eaten, some of the great wines I’ve had, cigars I’ve smoked. Not a word about the good times my wife and I have had. Or the various trials and tribulations of the family. But I figured you guys were bored by now. So, here’s the end.

The Disclaimer

Just to be clear, nothing that I write here represents the position or opinion of my employer. Nothing I write here is proprietary or confidential to my employer. Everything I write here is my personal opinion.